Evolutionary Systems Design: Recognizing Changes in Security and Survivability Risks

A fundamental truth of system design is that, in the absence of countermeasures, a system's security and survivability will degrade over time. Changes in the environment or usage of a system, or changes to the elements that compose the system, often introduce new or elevated threats that the system was not designed to handle and is ill-prepared to defend itself against. The first step in evolving to meet new threats to your system's security and survivability is to recognize the need to modify your system, that is, to recognize changes in security and survivability risks that trigger the need to enter the evolution phase of the system development life cycle. It is essential that significant risk management resources be devoted to the ongoing evolution of any mission-critical system. The successful evolutionary design of a secure and survivable system is dependent on the continual monitoring of the system and its environment to detect changes that may affect the risk management assumptions on which the system's security and survivability are founded

Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues

In the cyber world, the current state of the practice regarding the technical ability to track and trace Internet-based attacks is primitive at best. Sophisticated attacks can be almost impossible to trace to their true source using current practices. The anonymity enjoyed by today's cyber-attackers poses a grave threat to the global information society, the progress of an information-based international economy, and the advancement of global collaboration and cooperation in all areas of human endeavor. Part I of this report examines the current state of the Internet environment and the reasons why tracking and tracing cyber-attackers is so difficult. Part II examines some promising research on technical approaches that may greatly improve the ability to track and trace cyber-attacks to their source. Also discussed are some policy considerations with regard to privacy, information sharing, liability, and other policy issues that would be faced by the U. S. State Department in negotiating international agreements for cooperation and collaboration in the tracking and tracing of cyber-attacks. The report concludes with a closer look at technical and policy considerations for next-generation Internet protocols to enhance track and trace capabilities

Results of SEI Independent Research and Development Projects and Report on Emerging Technologies and Technology Trends (FY 2004)

Each year, the Software Engineering Institute (SEI) undertakes several Independent Research and Development (IR&D) projects. These projects serve to (1) support feasibility studies investigating whether further work by the SEI would be of potential benefit, and (2) support further exploratory work to determine whether there is sufficient value in eventually funding the feasibility study work as an SEI initiative. Projects are chosen based on their potential to mature and/or transition software engineering practices, develop information that will help in deciding whether further work is worth funding, and set new directions for SEI work. This report describes the IR&D projects that were conducted during fiscal year 2004 (October 2003 through September 2004). In addition, this report provides information on what the SEI has learned in its role as a technology scout for developments over the past year in the field of software engineering

Results of SEI Independent Research and Development Projects (FY 2010)

The Software Engineering Institute (SEI) annually undertakes several independent research and development (IRAD) projects. These projects serve to (1) support feasibility studies investigating whether further work by the SEI would be of potential benefit and (2) support further exploratory work to determine whether there is sufficient value in eventually funding the feasibility study work as an SEI initiative. Projects are chosen based on their potential to mature and/or transition software engineering practices, develop information that will help in deciding whether further work is worth funding, and set new directions for SEI work. This report describes the IRAD projects that were conducted during fiscal year 2010 (October 2009 through September 2010).</p